mailing list archives
Re: reputation preprocessor and IDS
From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 04 Jun 2013 21:14:23 -0400
On 6/4/2013 18:20, Joel Esler wrote:
On Jun 4, 2013, at 4:04 PM, waldo kitty <wkitty42 () windstream net> wrote:
i'll have to dig and see if there is/was a bug that was fixed from 126.96.36.199
to the latest snort versions... i whitelisted a CIDR block and they still
generate alerts... specifically, we saw alerts on 129:20 when snort was
reloading after setting the CIDR block in the whitelist file and bouncing
snort with a complete exit and startup... we've also seen 128:4 when
sshing into that sensor on a non-standard port but we DO have that
non-standard port listed in the ssh config section of snort.conf... these
alerts happen for only a short time and then snort seems to settle down and
stop issuing them even though those same connections are still active or
being terminated and restarted again...
Whitelist doesn't mean "totally ignore these hosts", whitelist is used in
the term of "these things in this whitelist? yeah, they /never/ get
that makes a difference... but how does it truly affect things in IDS mode? i
can see how it affects things in IPS mode where snort has to allow or disallow
the passage of the data packets but in IDS mode snort is passive as far as the
traffic flowing thru... other than raising an alert... isn't it?? so it would
seem that a whitelist entry would tell snort to not alert on that IP...
If you want to ignore a host, bpf it out like normal.
ahhh... yeah... bpf is not part of our distributed methodology... it adds too
much more to go wrong because someone didn't understand thing properly...
normally i'd just threshold the IP so that it passes everything... i think
that's how it has been done in the past isn't it?
in any case, it is one of our users that was trying this method so as to prevent
alerts from even happening on the named IP... i'm just following up on the whys
and wherefores as to why it did not work the way they (and many of us) thought
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
Please visit http://blog.snort.org to stay current on all the latest Snort news!